What is Emissary Panda, and how does it hack its targets?

Here is a look at the group of hackers, probably from China, suspected of carrying out a cyberattack on the Montreal-based International Civil Aviation Authority — how the hackers did it, and what they stood to gain from setting a trap for the world's aviation players.

A group of suspected Chinese cyberspies had much to gain from hacking ICAO

The hacker group known as Emissary Panda is suspected of being sponsored by the People's Republic of China. (Hélène Simard/CBC)

In November 2016, the Montreal-based International Civil Aviation Organization (ICAO) was hit by the most serious cyberattack in its history.

Internal documents obtained by CBC suggest key members of the team that should have prevented the attack tried to cover up how badly it was mishandled.

The documents obtained by CBC suggest the hacker was most likely a member of Emissary Panda, a sophisticated and stealthy espionage group with ties to the Chinese government.

Here is a look at the group of hackers, probably from China, suspected of carrying out a cyberattack on the Montreal-based International Civil Aviation Authority — how the hackers did it, and what they stood to gain from setting a trap for the world's aviation players.

What is Emissary Panda?

The group of hackers suspected of staging the attack is known by many names — among them: TG-3390, APT 27 and Bronze Union.

The cybersecurity firm SecureWorks has a "moderate level of confidence" that the hacker group is sponsored by the People's Republic of China.

In a 2015 report, it based that conclusion on a number of factors:

  • Emissary Panda is most active during the Chinese work day — between noon and 5 p.m. local time in China.
  • The cyberattacker uses the Chinese-language search engine Baidu.
  • It has parts of its hacking tools written in Chinese.
  • It has staged cyberattacks against the Uyghurs, the Chinese Muslim minority group repressed by the Chinese state.

The group has been active for at least 10 years, and it has also staged attacks in North America, South America, Asia, Europe and the Middle East.

The cyberattacker set up a series of 'watering holes,' a trap set on websites frequented by targets of a sophisticated hack. (Hélène Simard/CBC)

Cybersecurity experts consulted by CBC News said the group specializes in "cyberespionage," collecting data from corporate and government targets.

Ali Arasteh, a cybersecurity consultant with the firm FireEye, said many of Emissary Panda's activities align with the economic goals laid out by the Chinese government. It tends to target industries such as energy, aviation, defence and manufacturing, where China wants to gain a competitive edge.

How was the attack carried out?

Cybersecurity expert José Fernandez says ICAO was likely not chosen because it was a weak link.

"All targets are relatively easy," Fernandez said.

Emissary Panda uses a variety of methods to access a target's system, such as hacking its webmail server or sending phishing emails including malicious links or attachments.

While it is not known how the hackers got into ICAO's servers, experts on Emissary Panda's hacking activities say it's likely the group had access long before it was detected.

In its 2015 report on Emissary Panda, SecureWorks wrote that the group tends to spend a significant period of time in a target's system before it starts extracting data. Emissary Panda uses this time to find other access points, learn how the network is set up and identify important data.

The hacker used a classic watering hole attack: find a website your targets frequent — ICAO — and infect it with malware to gain access to those targets. (Hélène Simard/CBC)

The hacker group then sets up "strategic web compromises," also known as watering holes. Watering holes are traps on websites that they know targets will visit.

In the case of ICAO, when member states wanted to consult aviation documents online, they would be injected with malicious code that could give the attackers remote control of their computers.

Hackers could then create a chain of watering holes once they gained access to the systems of governments or corporations that visited the first watering hole.

What did the hackers have to gain?

Compromising ICAO would not cause planes to fall out of the sky.

The attack appears to be part of a larger strategic game, said Fernandez. With member states and aviation companies regularly visiting ICAO websites, he said the organization is a "one-stop shop" for encountering the targets of Chinese cyberspies.

According to the SecureWorks report, Emissary Panda often would find trusted websites frequented by political and corporate targets and infect them to gain access to data.

Arasteh, speaking generally about the hacker group's operations, said that data could include intellectual property and travel information for corporate executives and politicians.

With files from Debra Arbec


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?